Iran’s regime is suspected of conducting a counterintelligence operation targeting Iranians and domestic threats with potential ties to foreign intelligence agencies, particularly Israel.
The operation, active since at least 2017, leverages fake recruiting websites to collect personal and professional data from targeted individuals, which is likely used to identify individuals involved in HUMINT operations against Iran and to persecute those suspected of collaboration with adversarial countries.
The campaign’s tactics and targeting align with previous Iran-nexus threat actor activities, suggesting a potential connection to the IRGC Intelligence Organization.
Hackers created a network of fake Farsi-language recruitment websites disguised as Israeli HR firms, which used similar design templates and were spread online through fake social media accounts.
The attackers aimed to trick Farsi speakers into visiting the sites and socially engineer them to surrender personal information and disseminated links to fake recruitment websites on social media platforms like X and Virasty, primarily targeting users in Iran.
A specific X post in Farsi contained a link to the malicious website topwor4u[.]com and enticed potential victims with promises of joining a global team of information and cyber professionals, which was designed to lure users into clicking on the malicious link, potentially leading to malware infection or data theft.
Researchers discovered a network of fake recruitment websites designed to target Iranian individuals with IT and cyber security backgrounds, which disguised themselves as legitimate HR firms (“Optima HR,” “Kandovan HR”) specializing in information security and offered “excellent salary” and “privacy protection.”
They used website templates with Farsi descriptions and visuals promoting an affiliation with Israel (flags, landmarks) through website design and Telegram contact links containing “IL” references.
The websites were created using a WordPress account with the username “miladix,” potentially linked to the campaign administrator based on a matching Persian name “Milad,” found on a social media account.
The Mandiant report reveals a multi-year Iranian cyber espionage campaign targeting individuals affiliated with security and intelligence organizations where the attackers used fake recruitment websites (VIP Human Solutions and Optima HR) to lure targets into submitting personal and professional information through online forms.
These websites were active from at least 2018 and targeted Farsi speakers in Iran as well as Arabic speakers in Syria and Lebanon (Hezbollah). The attackers also used social media platforms (Telegram) and fabricated contact details (including Israeli phone numbers) to further deceive potential victims.
The Iranian government is conducting a social engineering campaign to identify and target individuals suspected of collaborating with adversarial countries.
The campaign uses fake HR websites on multiple social media platforms to collect personal information from Farsi-speaking individuals, potentially exposing them to future retaliation, which poses a significant threat to Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran.